repo package, versions <3.18.5

Q: How to fix?

Upgrade helm.sh/helm/v3/pkg/repo to version 3.18.5 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-GOLANG-HELMSHHELMV3PKGREPO-11799541
published14 Aug 2025
disclosed14 Aug 2025
creditJakub Ciolek

Report a new vulnerability Found a mistake?

Introduced: 14 Aug 2025

NewCVE-2025-55198 (opens in a new tab) CWE-908 (opens in a new tab)

How to fix?

Upgrade helm.sh/helm/v3/pkg/repo to version 3.18.5 or higher.

Overview

helm.sh/helm/v3/pkg/repo is a package manager for kubernetes.

Affected versions of this package are vulnerable to Use of Uninitialized Resource via improper validation when parsing Chart.yaml and index.yaml files. An attacker can cause a panic in the application by providing malformed or unexpected YAML content, such as a null maintainer, non-string values in dependencies' import-values, or empty entries in chart version lists.

Workaround

This vulnerability can be mitigated by ensuring YAML files are formatted as expected prior to processing.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None